Article 10 Digital Operational Resilience Act (DORA), Response and Recovery
Article 10 of the Digital Operational Resilience Act (DORA) sets out the requirements for financial entities to develop and implement robust response and recovery measures for ICT-related incidents. This article emphasizes the importance of having well-defined policies and procedures to ensure the continuity and resilience of financial operations during disruptions. Below is a detailed overview of the requirements outlined in Article 10.
ICT Business Continuity Policy
Financial entities are required to establish a comprehensive ICT Business Continuity Policy as a key component of their overall operational business continuity strategy. This policy must be based on the identification of critical ICT systems and services, as outlined in Article 7. The ICT Business Continuity Policy should include documented arrangements, plans, and procedures designed to address and manage ICT-related incidents effectively.
Implementation and Management
The ICT Business Continuity Policy must be implemented through detailed and well-documented procedures. This includes:
- Incident Recording: Financial entities must maintain a record of all ICT-related incidents, ensuring that each incident is documented and analyzed.
- Continuity of Critical Functions: The policy must ensure that critical functions of the financial entity continue operating even during an ICT incident.
- Incident Response and Resolution: The policy should include procedures for responding to and resolving ICT-related incidents, particularly cyber-attacks. These procedures must aim to minimize damage, prioritize the resumption of normal activities, and initiate recovery actions promptly.
- Containment and Recovery: Financial entities must activate plans that include containment measures, suitable processes, and technologies to address each type of ICT incident. Response and recovery procedures should be tailored to specific incident types as per Article 11.
- Impact Assessment: Financial entities need to estimate the preliminary impacts, damages, and losses associated with the incident.
- Communication and Crisis Management: The policy should outline communication strategies to ensure that updated information is shared with internal staff and external stakeholders. Additionally, it must include reporting requirements to competent authorities as detailed in Article 17.
ICT Disaster Recovery Plan
In addition to the Business Continuity Policy, financial entities must implement an ICT Disaster Recovery Plan. For entities other than microenterprises, this plan must undergo independent audit reviews to ensure its effectiveness and compliance.
Testing and Review
To maintain operational resilience, financial entities must regularly test their ICT Business Continuity Policy and Disaster Recovery Plan. This includes:
- Annual Testing: The Business Continuity Policy and Disaster Recovery Plan should be tested at least annually. Testing must also occur after significant changes to ICT systems.
- Crisis Communication Testing: Crisis communication plans, as described in Article 13, must also be tested to ensure they are effective.
- Scenario Planning: Entities other than microenterprises should include scenarios such as cyber-attacks and switchovers between primary ICT infrastructure and backup systems in their testing plans.
Regular reviews of the Business Continuity Policy and Disaster Recovery Plan are essential, taking into account test results, audit recommendations, and supervisory reviews.
Crisis Management and Record-Keeping
Entities other than microenterprises are required to establish a crisis management function. This function should manage both internal and external communications during the activation of the Business Continuity Policy or Disaster Recovery Plan, in line with Article 13.
Additionally, financial entities must maintain detailed records of activities before and during disruptions. These records should be readily accessible to ensure transparency and accountability.
Reporting Obligations
Financial entities mentioned in point (f) of Article 2(1) must provide competent authorities with copies of the results from ICT business continuity tests or similar exercises conducted during the review period.
Furthermore, entities other than microenterprises must report all costs and losses incurred due to ICT disruptions and incidents to the relevant authorities. This reporting helps in assessing the impact of incidents and improving resilience strategies.
Conclusion
Article 10 of DORA underscores the necessity for financial entities to have well-defined response and recovery measures for ICT-related incidents. By implementing a comprehensive ICT Business Continuity Policy and Disaster Recovery Plan, regularly testing these measures, and maintaining effective crisis management and communication strategies, financial entities can enhance their resilience against ICT disruptions. These measures are crucial for ensuring the continuity of critical functions, minimizing damage, and facilitating recovery in the event of an ICT incident.